Rated 5 out of 5 by Michael Varga It prevents scanning, malware spread, corporate asset misuse, and reconnaissance on our network by third-party devices. Valuable Features:* Network Access Control, it's core use* Asset Intelligence for deskside* "What port is it plugged into" intelligence for deskside* Patch-level intelligence for the Patch Management team* "What PC is a user on" for helpdesk/IT security/deskside* It's highly used across our departmentImprovements to My Organization:* Immediate relocation of network devices to segregated "Vendor" network based on autonomous analysis. Prevents scanning, malware spread, corporate asset (i.e. printer) misuse, and reconnaissance on our network by third-party devices. Allows us to block VPN from our corporate network but still allow Vendors to establish them.* Better information provided by Level 1 support (helpdesk) regarding asset information as we provide them with R/O access to the tool* Visitor policy communication & acceptanceRoom for Improvement:* JAVA Memory management - leaving the app running for multiple days requires relaunch* Search - needs boolean functionality* Search - If a console user right click/pastes their clipboard contents into the search field (ie: IP address) the field fails to clear the "Search" word in the field, resulting in the search string of "Search172.0.0.1". Typing in the field does not result in this issue. - FIXED!Use of Solution:3 YearsDeployment Issues:No issues encountered.Stability Issues:Stability has been good.Scalability Issues:* Currently scaling out to international operations* It is very scalable, allowing additional strategic appliances as required in either physical or VMs.* We control ~150 field sites and two major metro sites with three appliances.Customer Service:It's excellent.Technical Support:It's excellent.Previous Solutions:No previous solution was used.Initial Setup:It was straightforward, although I recommend having a strong relationship with network-asset owners to ensure SNMP rights are looked after.Implementation Team:We used a vendor, Conexsys (Graham Cheng & Jerry G), who were excellent.Cost and Licensing Advice:It's not a cheap tool, but it's very useful and effective.Other Solutions Considered:This was chosen without hands-on evaluation based on reviews and industry feedback.Other Advice:If you have distributed services (DHCP), strategically ensure you generate reliable traffic to establish timely inspections. We've avoided the use of traps by centralizing our DHCP at HQ, but it causes black holes during inspection schedules in case of a static device being plugged in.Disclaimer: I am a real user, and this review is based on my own experience and opinions. October 2, 2016

Rated 4 out of 5 by NwkSecSpecialist794 We like that it can do network access control either with 802.1x or without 802.1x since many network devices are not ready to do 802.1x. Valuable Features:The most valuable features of ForeScout is the fact that it can do network access control either with 802.1x or without 802.1x. Many network devices are not ready to do 802.1x. Lots of endpoints are not ready to do it, or they're poor at it, so having a non-.1x solution is critical for maintaining stability on our network.Improvements to My Organization:We did not have a NAC prior to ForeScout. It provides constant monitoring of the endpoints either through an agent or periodic monitoring with a local admin account. This makes posturing very easy to do. Once the device is on the network, we're able to determine, does it continue to meet the requirements that we need for a device to stay on the network?Room for Improvement:Definitely, having more third-party integration would be an improvement. This is something that they're doing. Other products that we have on our network, if we're able to get ForeScout to talk with them, we'll get much better information to those products, things like Splunk and other data gathering.Also, I think we have Rapid7, so all these different programs that want to collect a lot of information, ForeScout is able to do that. So having it being able to talk to them, the more it can talk to, the better it is.I think there are some product maturity issues in terms of the web interfaces that its able to present for end users. They're working on those. Those are improving, and just other features that come along with them growing into this space that they have. They're getting feedback from us, and they're getting feedback from other very large customers on what to do to improve, and they respond very well.Use of Solution:2 yearsDeployment Issues:We've had no issues with deployment.Stability Issues:We had a few issues that were unique to our environment, but ForeScout tech support has been very timely in being able to respond to them and getting us support we needed. We have had to have a few reboots due to some outages, but again, these are things that were able to be resolve very quickly. Overall, I would say that this is a stable solution.Scalability Issues:We're a huge company, over 100,000 employees, and it does require that we have done our homework ahead of time -- that we know where our address space is, that we know what's out there, and being able to come up with a deployment plan is our responsibility. Once we had that, we were able to go with it, and it works very well.Customer Service:Very good.Technical Support:Very good.Initial Setup:Device setup is straightforward - NAC itself is always a complex thing due to its profiling of EVERY device that connects to the network.Implementation Team:The ForeScout engineers were there to help us without the standard, "Oh, you have over 100,000 endpoints? Well here's what every 100,000-endpoint company does."Other Solutions Considered:We compared ForeScout to Cisco ISE. There were some other vendors in this space, but we felt they were for mid-sized companies at largest. Cisco looked like they had an offering that would be able to compete head-to-head with it in terms of size. The reason we picked this over ISE was because ForeScout had a non-802.1x solution for the wired network. We would avoid a lot of chaos and a lot of destruction if we go that route. Also, ForeScout had fewer vulnerabilities whereas Cisco ISE had several level-10 vulnerabilities that have been observed over the years. While we were testing it, two of them came out.ForeScout has never had a vulnerability above 7.0, so when we look at the security of the system, it definitely meets that requirement where this is not something that's going to be compromised the way it looked, as though Cisco ISE had some potential for that. Much less disruptive, both Cisco ISE and ForeScout really require a client to get the full features of the system. They say that it can run client-less, but having the client gives a lot better functionality, and the ForeScout client just worked a lot better for us on our endpoints.Other Advice:The most important thing would be that a NAC project involves more than just the network. You've got to have client people, PKI people, active directory people all working together with the network to make this product work and make it happen. There's so many ways that it could interrelate. If you're in a very large company, you've got to break down the silo walls and get everybody together from the beginning to make this thing work out, but once you have those people together, this is something that every group wants to have. Desktop people want it, the mobile people want it, the scanning people. Everybody wants it once they see it, so it does sell itself, but you've got to have that education meeting up front.Disclaimer: I am a real user, and this review is based on my own experience and opinions. August 9, 2016

Rated 5 out of 5 by Michael Varga It prevents scanning, malware spread, corporate asset misuse, and reconnaissance on our network by third-party devices. Valuable Features:* Network Access Control, it's core use* Asset Intelligence for deskside* "What port is it plugged into" intelligence for deskside* Patch-level intelligence for the Patch Management team* "What PC is a user on" for helpdesk/IT security/deskside* It's highly used across our departmentImprovements to My Organization:* Immediate relocation of network devices to segregated "Vendor" network based on autonomous analysis. Prevents scanning, malware spread, corporate asset (i.e. printer) misuse, and reconnaissance on our network by third-party devices. Allows us to block VPN from our corporate network but still allow Vendors to establish them.* Better information provided by Level 1 support (helpdesk) regarding asset information as we provide them with R/O access to the tool* Visitor policy communication & acceptanceRoom for Improvement:* JAVA Memory management - leaving the app running for multiple days requires relaunch* Search - needs boolean functionality* Search - If a console user right click/pastes their clipboard contents into the search field (ie: IP address) the field fails to clear the "Search" word in the field, resulting in the search string of "Search172.0.0.1". Typing in the field does not result in this issue. - FIXED!Use of Solution:3 YearsDeployment Issues:No issues encountered.Stability Issues:Stability has been good.Scalability Issues:* Currently scaling out to international operations* It is very scalable, allowing additional strategic appliances as required in either physical or VMs.* We control ~150 field sites and two major metro sites with three appliances.Customer Service:It's excellent.Technical Support:It's excellent.Previous Solutions:No previous solution was used.Initial Setup:It was straightforward, although I recommend having a strong relationship with network-asset owners to ensure SNMP rights are looked after.Implementation Team:We used a vendor, Conexsys (Graham Cheng & Jerry G), who were excellent.Cost and Licensing Advice:It's not a cheap tool, but it's very useful and effective.Other Solutions Considered:This was chosen without hands-on evaluation based on reviews and industry feedback.Other Advice:If you have distributed services (DHCP), strategically ensure you generate reliable traffic to establish timely inspections. We've avoided the use of traps by centralizing our DHCP at HQ, but it causes black holes during inspection schedules in case of a static device being plugged in.Disclaimer: I am a real user, and this review is based on my own experience and opinions. August 2, 2016

Rated 5 out of 5 by NetworkAdmin817 As a university, we have used ForeScout to help us get a hold on student computers and their infections. Valuable Features:As a university, we have used ForeScout to help us get a hold on student computers and their infections, and to keep those infected systems off our network. We are also currently using ForeScout as a mechanism to allow us to automatically move student game consoles to a separate VLAN, and then move the port back to the primary dorm VLAN when a PC or other device is plugged in.Improvements to My Organization:ForeScout has the built-in ability to identify network devices without a separate subscription or device, and that allows us to identify when students plug into a switch or router (not allowed on our network), or tries to put their computer on the less restrictive game console VLAN. The rule sets allow you to configure different rules for different devices or networks from a single location, and provides a single-pane-of-glass view into any network traffic it can see.Room for Improvement:The configuration of the rules is both a blessing and a curse. While it is almost infinitely configurable, knowing how to get the product to do what you want it to do can be difficult, especially at first.The biggest problem we have had with ForeScout is that in order for it to see all of your network traffic it must have access to that traffic. So if your traffic has multiple ways to reach the internet or other resources, then you need multiple network taps in place to see that traffic.Use of Solution:We have used ForeScout since summer of 2012.Deployment Issues:Other than the infinite configurability and need to have multiple network taps to see all traffic, we haven't had issues with deployment.Stability Issues:Stability has been like a rock, and it is a product that just seems to work.Scalability Issues:We have had no issues with scaling it for our needs.Technical Support:We have had mixed success with support. Sometimes we had amazing people who knew just what we needed and how to help us get there with minimal fuss. Other times we were explaining to support how to work around an issue so other customers wouldn’t have to deal with what we were dealing with.Previous Solutions:We previously used Perfigo, which was later bought by Cisco and became Clean Access. ForeScout offered us a device with a 10GB connection, and that on top of the feature set for the price sealed the deal.Initial Setup:The initial setup was very straightforward, but due to our backbone switch/network configuration, we had to make last minute tweaks to get the product to see all our traffic. Also, we struggled to get our rules properly configured so that students weren’t negatively impacted by misconfigurations that would either prevent them from getting on the network at all, or repeatedly require them to log in.Our third-party consulting firm (Konsultek), hit one out of the park in helping us, and they made sure we were up and running before the start of school, despite our tight timeframe for implementation.Implementation Team:We used a third-party group to assist us with implementation, and that made all the difference for us as we were able to pull from their experience and knowledge to help us get up and running.Other Advice:The best advice I can offer is to make sure to understand the rules and how they work as that was a bit of an issue for us in the first few weeks when we worked out how to “fix” some of the issues (client time-outs, repeatedly being asked to log in) as they came up. Also, test everything before rolling out to production.ForeScout provides some of the greatest visibility into network traffic, showing you exactly who is doing what, down to the port and protocol being used, capturing entire conversations between endpoints. It is a simply fantastic tool that provides network and security persons with the ability to throw up honeypots.Disclaimer: I am a real user, and this review is based on my own experience and opinions. April 14, 2016

Rated 3 out of 5 by Keith Franco The most valuable feature for us is the real-time alerting of newly connected devices. The reporting could be a bit more intuitive and user friendly. Valuable Features:The most valuable feature for us is the real-time alerting of newly connected devices, whether they are approved or unapproved devices on our network.Improvements to My Organization:Since our implementation of CounterACT, it has kept us aware of unapproved devices attempting to connect to our network which pose security threats.Room for Improvement:The reporting could be a bit more intuitive and user friendly.Use of Solution:I have used CounterACT for two years.Deployment Issues:There were many issues with deployment, but these were largely due to our own network architecture issues.Stability Issues:There were many issues with stability, but these were largely due to our own network architecture issues.Scalability Issues:There were many issues with scalability, but these were largely due to our own network architecture issues.Technical Support:I'd rate ForeScout's technical support as fair-to-good.Previous Solutions:We did not have a previous NAC solution in place prior to CounterACT.Initial Setup:The initial setup was complex.Implementation Team:We used a vendor team for the implementation.Other Advice:Do your homework ahead of time. Ensure that you have up-to-date network maps and that understand your network's architecture.Disclaimer: I am a real user, and this review is based on my own experience and opinions. April 1, 2016

Rated 4 out of 5 by Stefano Benaglia You can use it to implement 802.1x on your infrastructure and also have a very granular control of your devices, including shadow devices. Valuable Features:The most important feature is that this solution works well without a 802.1x feature. You can use CounterACT to implement that feature and also have a very granular control of your devices, including shadow devices.Improvements to My Organization:We were searching for a solution that could help us not only to detect and manage unauthorized access, but also to implement 802.1x on our infrastructure. And when we were working to reach that goal, we found other improvements from using CounterACT, such as antivirus installation, P2P control, and shadow IT -- and that's another plus for them.Room for Improvement:The best improvement they could make would be reporting and better integration with AD. Last but not least, a management web interface would be nice in the next version/release.Use of Solution:We've used it for about a year.Deployment Issues:We had no issues with the deployment.Stability Issues:We have an HA cluster in place that works very well. We've had no issues with stability.Scalability Issues:We had no issues scaling it for our needs.Technical Support:Fortunately, for now, we've had no need to call technical support.Previous Solutions:We didn't have a NAC solution in place. This is the very first solution we've tried mostly because other solutions have 802.1x as a mandatory requirement.Initial Setup:It was not so easy to deploy in our environment, the learning curve for this solution is quite hard.Implementation Team:From my experience, it is impossible to implement this kind of solution in-house. You need a consultant or a trained person who can do this job.Disclaimer: I am a real user, and this review is based on my own experience and opinions. March 27, 2016

Rated 4 out of 5 by Mark Vandendyke If a machine becomes infected by a user accessing the web, it has the ability to immediately quarantine that machine, isolating it from the network. Valuable Features:* Alerting as to non-compliant machines* Ability to quarantine infected machines* Ability to determine if patches are not up to dateImprovements to My Organization:If a machine becomes infected by a user accessing the web, ForeScout has the ability to immediately quarantine that machine, isolating it from the network. Before this, someone would literally have to run down the hall and shut off a machine in the event of a breach and infection by malware.Room for Improvement:It needs enhanced mobile support, but I have heard that this is coming.Use of Solution:We've used it for six months.Deployment Issues:It took some time to get the policies set up and applied once ForeScout was physically in place. A dedicated resource and timely decisions from management can make this deployment faster. Make sure you account for anything and everything in your environment which has an IP address. We also had one device that was DOA but it was quickly replaced.Stability Issues:We have had no stability issues.Scalability Issues:Scalability was not a problem for this site as we have less than 1000 endpoints.Technical Support:Excellent. Our support engineer was extremely helpful and available.Previous Solutions:This was the first of its kind in the environment.Initial Setup:With the assistance of the support engineer, it wasn't too bad. But it depends upon the state of your network. If everything is set up correctly, it will go much smoother. For example, having SNMPv3 activated everywhere is a requirement so that ForeScout can see everything.Implementation Team:We used our in-house personnel with the support engineer guiding us along via WebEx.Cost and Licensing Advice:They are competitively priced for a medium-to-large sized organization.Other Solutions Considered:This is not a very crowded segment for this kind of a product, and ForeScout is the best known of this small field.Other Advice:They also offer a monitoring service which is a good value if you do not have someone in house to monitor ForeScout on site. This can be full or part time. ForeScout is a powerful network access control tool that has some features found in insider threat solutions, though it is not exactly made for that.Disclaimer: I am a real user, and this review is based on my own experience and opinions. March 20, 2016

Rated 4 out of 5 by VPInfraMgmt643 It provides us with visibility into what's connected to our network, such as contractors, mobile devices, and whether they're a part of our corporate asset list or not. Valuable Features:It provides us with visibility into what's connected to our network, such as contractors, mobile devices, and whether they're a part of our corporate asset list or not.Improvements to My Organization:We use it to prevent malicious activities on our network that potentially infiltrate it. We've been able to take out over twenty percent of our threats connected into our environment that we just never had a means to stop from connecting up to our network.We've discovered regular assets. Let's say you had a mobile device, you walked into our network, and you said "hey, I need to connect up to the network. I'm a contractor here for you all and I'm going to add in one device". You immediately now have access into our environment.Room for Improvement:It needs easier integration to other partners that automate functions within the security phase. There's no difference because you're not going to be able to fill the places fast enough for all these security people. So how do you get it to be able to manage more with less people by automating some of the functions? So when, for instance, NetScout discovers something and installs a ticketing system instead of sending an alert to a person, it automatically opens a ticket with the appropriate levels and automates that stuff.Deployment Issues:We've had no issues with deployment.Stability Issues:It has been stable. The benefit wasn't around stability, it was more around preventing instability. What we were fearful about is whether or not customers would get impacted by the restriction of them not being able to connect to the network.For instance: you're an employee, your laptop was part of our asset, but your phone was not and your tablet was not. All of the sudden, now all three of those devices were all connected into environment. Well, I only want your laptop to be connected. Your mobile devices, I really don't care to because when you go, you surf wherever you want on your stuff. You could probably pull up malware and then plug it in as soon as you put in your credentials into our network. So we want to keep that one off and allow you to connect to the network but connect to the internet, but not to my infrastructure.Scalability Issues:We haven't scaled it all the way up, but we started to pilot, grew it to a couple of floors, and then grew it to an entire building.Technical Support:I've never had to use it.Initial Setup:My understanding is that it was complex simply because my mandate is to zero-in back to the user.Other Solutions Considered:We did look at multiple partners and we ended up with ForeScout.Other Advice:Definitely use it. It's a good protection tool.Disclaimer: I am a real user, and this review is based on my own experience and opinions. March 9, 2016